Department of Computer Science & Engineering

Sender anonymity in location-based services (LBS) attempts to hide the identity of a mobile device user who sends requests to the LBS provider for services in her proximity (e.g. "find the nearest gas station", "theater", "restaurant", etc.). The goal is to keep the requester's interests private even from attackers who (via hacking or subpoenas) gain access to the request and to the locations of the mobile user and other nearby users at the time of the request. In an LBS context, the best-studied privacy guarantee is known as {\em sender k-anonymity}, which is intended to insure that the request log and precise location information are insufficient to distinguish among the actual requester and k-1 other possible requester. We show that state-of-the art solutions for sender k-anonymity defend only against naive attackers who have no knowledge of the anonymization policy that is in use. We strengthen the privacy guarantee to defend against more realistic ``policy-aware'' attackers. Our implementation and experiments show that the novel privacy guarantee has potential for practical impact, being efficiently enforceable, with limited reduction in utility when compared to policy-unaware guarantees.

Pre-2018 CSE ID: CS2009-0939